I'm David Rosenthal, and this is a place to discuss the work I'm doing in Digital Preservation.

Monday, December 10, 2018

Blockchain: What's Not To Like?

I gave a talk at the Fall CNI meeting entitled Blockchain: What's Not To Like? The abstract was:

We're in a period when blockchain or "Distributed Ledger Technology" is the Solution to Everything™, so it is inevitable that it will be proposed as the solution to the problems of academic communication and digital preservation. These proposals typically assume, despite the evidence, that real-world blockchain implementations actually deliver the theoretical attributes of decentralization, immutability, anonymity, security, scalability, sustainability, lack of trust, etc. The proposers appear to believe that Satoshi Nakamoto revealed the infallible Bitcoin protocol to the world on golden tablets; they typically don't appreciate or cite the nearly three decades of research and implementation that led up to it. This talk will discuss the mis-match between theory and practice in blockchain technology, and how it applies to various proposed applications of interest to the CNI audience.

Below the fold, an edited text of the talk with links to the sources, and much additional material. The colored boxes contain quotations that were on the slides but weren't spoken.

Update: the video of my talk has now been posted on YouTube and Vimeo.

It’s one of these things that if people say it often enough it starts to sound like something that could work,

I'd like to start by thanking Cliff Lynch for inviting me back even though I'm retired, and for letting me debug the talk at Berkeley's Information Access Seminar. I plan to talk for 20 minutes, leaving plenty of time for questions. A lot of information will be coming at you fast. Afterwards, I encourage you to consult the whole text of the talk and much additional material on my blog. Follow the links to the sources to get the details you may have missed.

The first comes from commercial interests where management of rights, IP and ownership is complex, hard to do, and has led to unusable systems that are driving researchers to sites like SciHub, scaring the bejesus out of publishers in the process.

The other trend is for a desire to move to a decentralised web and a decentralised system of validation and reward, in a way trying to move even further away from the control of publishers.

It is absolutely fascinating to me that two diametrically opposite philosophical sides are converging on the same technology as the answer to their problems. Could this technology perhaps be just holding up an unproven and untrustworthy mirror to our desires, rather than providing any real viable solutions?

This is not to diminish Nakamoto's achievement but to point out that he stood on the shoulders of giants. Indeed, by tracing the origins of the ideas in bitcoin, we can zero in on Nakamoto's true leap of insight—the specific, complex way in which the underlying components are put together.

More than fifteen years ago, nearly five years before Satoshi Nakamoto published the Bitcoin protocol, a cryptocurrency based on a decentralized consensus mechanism using proof-of-work, my co-authors and I won a "best paper" award at the prestigious SOSP workshop for a decentralized consensus mechanism using proof-of-work. It is the protocol underlying the LOCKSS system. The originality of our work didn't lie in decentralization, distributed consensus, or proof-of-work. All of these were part of the nearly three decades of research and implementation leading up to the Bitcoin protocol, as described by Arvind Narayanan and Jeremy Clark in Bitcoin's Academic Pedigree. Our work was original only in its application of these techniques to statistical fault tolerance; Nakamoto's only in its application of them to preventing double-spending in cryptocurrencies.

We're going to walk through the design of a system to perform some function, say monetary transactions, storing files, recording reviewers' contributions to academic communication, verifying archival content, whatever. Being of a naturally suspicious turn of mind, you don't want to trust any single central entity, but instead want a decentralized system. You place your trust in the consensus of a large number of entities, which will in effect vote on the state transitions of your system (the transactions, reviews, archival content, ...). You hope the good entities will out-vote the bad entities. In the jargon, the system is trustless (a misnomer).

Techniques using multiple voters to maintain the state of a system in the presence of unreliable and malign voters were first published in The Byzantine Generals Problem by Lamport et al in 1982. Alas, Byzantine Fault Tolerance (BFT) requires a central authority to authorize entities to take part. In the blockchain jargon, it is permissioned. You would rather let anyone interested take part, a permissionless system with no central control.

In the case of blockchain protocols, the mathematical and economic
reasoning behind the safety of the consensus often relies crucially on
the uncoordinated choice model, or the assumption that the game consists
of many small actors that make decisions independently.

The security of your permissionless system depends upon the assumption of uncoordinated choice, the idea that each voter acts independently upon its own view of the system's state.

If anyone can take part, your system is vulnerable to Sybil attacks, in which an attacker creates many apparently independent voters who are actually under his sole control. If creating and maintaining a voter is free, anyone can win any vote they choose simply by creating enough Sybil voters.

From a computer security perspective, the key thing to note ... is that the security of the blockchain is linear in the amount of expenditure on mining power, ... In contrast, in many other contexts investments in computer security yield convex returns (e.g., traditional uses of cryptography) ... analogously to how a lock on a door increases the security of a house by more than the cost of the lock.

So creating and maintaining a voter has to be expensive. Permissionless
systems can defend against Sybil attacks by requiring a vote to be
accompanied by a proof of the expenditure of some resource. This is
where proof-of-work comes in; a concept originated by Cynthia Dwork and Moni Naor in 1992.
To vote in a proof-of-work blockchain such as Bitcoin's or Ethereum's
requires computing very many otherwise useless hashes. The idea is that
that the good voters will spend more, compute more useless hashes, than
the bad voters.

much of the innovation in blockchain technology has been aimed at
wresting power from centralised authorities or monopolies.
Unfortunately, the blockchain community’s utopian vision of a
decentralised world is not without substantial costs. In recent
research, we point out a ‘blockchain trilemma’ – it is impossible for
any ledger to fully satisfy the three properties shown in [the diagram]
simultaneously ... In particular,
decentralisation has three main costs: waste of resources, scalability
problems, and network externality inefficiencies.

Brunnermeir and Abadi's Blockchain Trilemma shows that a blockchain has to choose at most two of the following three attributes:

correctness

decentralization

cost-efficiency

Obviously, your system needs the first two, so the third has to go. Running a voter (mining in the jargon) in your system has to be expensive if the system is to be secure. No-one will do it unless they are rewarded. They can't be rewarded in "fiat currency", because that would need some central mechanism for paying them. So the reward has to come in the form of coins generated by the system itself, a cryptocurrency. To scale, permissionless systems need to be based on a cryptocurrency; the system's state transitions will need to include cryptocurrency transactions in addition to records of files, reviews, archival content, whatever.

Your system needs names for the parties to these transactions. There is no central authority handing out names, so the parties need to name themselves. As proposed by David Chaum in 1981 they can do so by generating a public-private key pair, and using the public key as the name for the source or sink of each transaction.

we created a small Bitcoin wallet, placed it on images in our honeyfarm,
and set up monitoring routines to check for theft. Two months later our
monitor program triggered when someone stole our coins.

This was not because our Bitcoin was stolen from a honeypot, rather
the graduate student who created the wallet maintained a copy and his
account was compromised. If security experts can't safely keep
cryptocurrencies on an Internet-connected computer, nobody can. If
Bitcoin is the "Internet of money," what does it say that it cannot be
safely stored on an Internet connected computer?

In practice this is implemented in wallet software,
which stores one or more key pairs for use in transactions. The public
half of the pair is a pseudonym. Unmasking the person behind the
pseudonym turns out to be fairly easy in practice.

The security of the system depends upon the user and the software keeping the private key secret. This can be difficult, as Nicholas Weaver's computer security group at Berkeley discovered when their wallet was compromised and their Bitcoins were stolen.

The capital and operational costs of running a miner include buying hardware, power, network bandwidth, staff time, etc. Bitcoin's volatile "price", high transaction fees, low transaction throughput, and large proportion of failed transactions mean that almost no legal merchants accept payment in Bitcoin or other cryptocurrency. Thus one essential part of your system is one or more exchanges, at which the miners can sell their cryptocurrency rewards for the "fiat currency" they need to pay their bills.

Who is on the other side of those trades? The answer has to be speculators, betting that the "price" of the cryptocurrency will increase. Thus a second essential part of your system is a general belief in the inevitable rise in "price" of the coins by which the miners are rewarded. If miners believe that the "price" will go down, they will sell their rewards immediately, a self-fulfilling prophesy. Permissionless blockchains require an inflow of speculative funds at an average rate greater than the current rate of mining rewards if the "price" is not to collapse. To maintain Bitcoin's price at $4K requires an inflow of $300K/hour.

In order to spend enough to be secure, say $300K/hour, you need a lot of miners. It turns out that a third essential part of your system is a small number of “mining pools”. Bitcoin has the equivalent of around 3M Antminer S9s, and a block time of 10 minutes. Each S9, costing maybe $1K, can expect a reward about once every 60 years. It will be obsolete in about a year, so only 1 in 60 will ever earn anything.

To smooth out their income, miners join pools, contributing their mining power and receiving the corresponding fraction of the rewards earned by the pool. These pools have strong economies of scale, so successful cryptocurrencies end up with a majority of their mining power in 3-4 pools. Each of the big pools can expect a reward every hour or so. These blockchains aren’t decentralized, but centralized around a few large pools.

Since then there have been other catastrophic bugs in these smart
contracts, the biggest one in the Parity Ethereum wallet software ...
The first bug enabled the mass theft from "multisignature" wallets,
which supposedly required multiple independent cryptographic signatures
on transfers as a way to prevent theft. Fortunately, that bug caused
limited damage because a good thief stole most of the money and then
returned it to the victims. Yet, the good news was limited as a
subsequent bug rendered all of the new multisignature wallets
permanently inaccessible, effectively destroying some $150M in notional
value. This buggy code was largely written by Gavin Wood, the creator of
the Solidity programming language and one of the founders of Ethereum.
Again, we have a situation where even an expert's efforts fell short.

Recent game-theoretic analysis suggests that there are strong economic limits to the security of cryptocurrency-based blockchains. For safety, the total value of transactions in a block needs to be less than the value of the block reward.

Your system needs an append-only data structure to which records of the transactions, files, reviews, archival content, whatever are appended. It would be bad if the miners could vote to re-write history, undoing these records. In the jargon, the system needs to be immutable (another misnomer).

The blockchain is mutable, it is just rather hard to mutate it without
being detected, because of the Merkle tree’s hashes, and easy to recover,
because there are Lots Of Copies Keeping Stuff Safe. But this is a double-edged sword. Immutability makes systems incompatible with the GDPR, and immutable systems to which anyone can post information will be suppressed by governments.

Cryptokitties’ popularity exploded in early December and had the Ethereum network gasping for air. ... Ethereum has historically made bold claims that it is able to handle unlimited decentralized applications ... The Crypto-Kittie app has shown itself to have the power to place all network processing into congestion. ... at its peak [CryptoKitties] likely only had about 14,000 daily
users. Neopets, a game to which CryptoKitties is often compared, once
had as many as 35 million users.

A user of your system wanting to perform a transaction, store a file, record a review, whatever, needs to persuade miners to include their transaction in a block. Miners are coin-operated; you need to pay them to do so. How much do you need to pay them? That question reveals another economic problem, fixed supply and variable demand, which equals variable "price".
Each block is in effect a blind auction among the pending transactions.

So lets talk about CryptoKitties, a game that bought the Ethereum blockchain to its knees despite the bold claims that it could handle unlimited decentralized applications. How many users did it take to cripple the network? It was far fewer than non-blockchain apps can handle with ease; CryptoKitties peaked at about 14K users. NeoPets, a similar centralized game, peaked at about 2,500 times as many.

Nakamoto's Bitcoin blockchain was designed only to support recording transactions. It can be abused for other purposes, such as storing illegal content. But it is likely that you need additional functionality, which is where Ethereum's "smart contracts" come in. These are fully functional programs, written in a JavaScript-like language, embedded in Ethereum's blockchain. They are mainly used to implement Ponzi schemes, but they can also be used to implement Initial Coin Offerings, games such as Cryptokitties, and gambling parlors. Further, in On-Chain Vote Buying and the Rise of Dark DAOs Philip Daian and co-authors show that "smart contracts" also provide for untraceable on-chain collusion in which the parties are mutually pseudonymous.

The first big smart contract, the DAO or Decentralized Autonomous
Organization, sought to create a democratic mutual fund where investors
could invest their Ethereum and then vote on possible investments.
Approximately 10% of all Ethereum ended up in the DAO before someone
discovered a reentrancy bug that enabled the attacker to effectively
steal all the Ethereum. The only reason this bug and theft did not
result in global losses is that Ethereum developers released a new
version of the system that effectively undid the theft by altering the
supposedly immutable blockchain.

The loot was restored by a "hard fork", the blockchain's version of mutability. Since then it has become the norm for "smart contract" authors to make them "upgradeable", so that bugs can be fixed. "Upgradeable" is another way of saying "immutable in name only".

Permissionless systems trust:

The core developers of the blockchain software not to write bugs.

The developers of your wallet software not to write bugs.

The developers of the exchanges not to write bugs.

The operators of the exchanges not to manipulate the markets or to commit fraud.

The developers of your upgradeable "smart contracts" not to write bugs.

The owners of the smart contracts to keep their secret key secret.

The owners of the upgradeable smart contracts to avoid losing their secret key.

The owners and operators of the dominant mining pools not to collude.

The speculators to provide the funds needed to keep the “price” going up.

Users' ability to keep their secret key secret.

Users’ ability to avoid losing their secret key.

Other users not to transact when you want to.

So, this is the list of people your permissionless system has to trust if it is going to work as advertised over the long term.

You started out to build a trustless, decentralized system but you have ended up with:

A trustless system that trusts a lot of people you have every reason not to trust.

A decentralized system that is centralized around a few large mining pools that you have no way of knowing aren’t conspiring together.

An immutable system that either has bugs you cannot fix, or is not immutable

A system whose security depends on it being expensive to run, and which is thus dependent upon a continuing inflow of funds from speculators.

A system whose coins are convertible into large amounts of "fiat currency" via irreversible pseudonymous transactions, which is thus an irresistible target for crime.

If the “price” keeps going up, the temptation for your trust to be
violated is considerable. If the "price" starts going down, the
temptation to cheat to recover losses is even greater.

Maybe it is time for a re-think.

Suppose you give up on the idea that anyone can take part and accept that you have to trust a central authority to decide who can and who can’t vote. You will have a permissioned system.

The first thing that happens is that it is no longer possible to mount a Sybil attack, so there is no reason running a node need be expensive. You can use BFT to establish consensus, as IBM’s Hyperledger, the canonical permissioned blockchain system does. You need many fewer nodes in the network, and running a node just got way cheaper. Overall, the aggregated cost of the system got orders of magnitude cheaper.

Now there is a central authority it can collect “fiat currency” for network services and use it to pay the nodes. No need for cryptocurrency, exchanges, pools, speculators, or wallets, so much less temptation for bad behavior.

Permissioned systems trust:

The central authority.

The software developers.

The owners and operators of the nodes.

The secrecy of a few private keys.

This is now the list of entities you trust. Trusting a central authority to determine the voter roll has eliminated the need to trust a whole lot of other entities. The permissioned system is more trustless and, since there is no need for pools, the network is more decentralized despite having fewer nodes.

Faults

Replicas

1

4

2

7

3

10

4

13

5

16

6

19

a Byzantine quorum system of size 20 could achieve better decentralization than proof-of-work mining at a much lower resource cost.

How many nodes does your permissioned blockchain need? The rule for BFT is that 3f + 1 nodes can survive f
simultaneous failures. That's an awful lot fewer than you need for a
permissionless proof-of-work blockchain. What you get from BFT is a
system that, unless it encounters more than f simultaneous failures, remains available and operating normally.

The problem with BFT is that if it encounters more than f simultaneous failures, the state of the system is irrecoverable. If you want a system that can be relied upon for the long term you need a way to recover from disaster. Successful permissionless blockchains have Lots Of Copies Keeping Stuff Safe, so recovering from a disaster that doesn't affect all of them is manageable.

So in addition to implementing BFT you need to back up the state of the system each block time, ideally to write-once media so that the attacker can't change it. But if you're going to have an immutable backup of the system's state, and you don't need continuous uptime, you can rely on the backup to recover from failures. In that case you can get away with, say, 2 replicas of the blockchain in conventional databases, saving even more money.

I've shown that, whatever consensus mechanism they use, permissionless blockchains are not sustainable for very fundamental economic reasons. These include the need for speculative inflows and mining pools, security linear in cost, economies of scale, and fixed supply vs. variable demand. Proof-of-work blockchains are also environmentally unsustainable. The top 5 cryptocurrencies are estimated to use as much energy as The Netherlands. This isn't to take away from Nakamoto's ingenuity; proof-of-work is the only consensus system shown to work well for permissionless blockchains. The consensus mechanism works, but energy consumption and emergent behaviors at higher levels of the system make it unsustainable.

Additional Material

It can be very hard to find reliable sources about cryptocurrencies because almost all cryptocurrency journalism is bought and paid for.

When cryptocurrency issuers want positive coverage for their virtual coins, they buy it. Self-proclaimed social media personalities charge thousands of dollars for video reviews. Research houses accept payments in the cryptocurrencies they are analyzing. Rating “experts” will grade anything positively, for a price.

All this is common, according to more than two dozen people in the cryptocurrency market and documents reviewed by Reuters.
...
“The main reason why so many inexperienced individuals invest in bad crypto projects is because they listen to advice from a so-called expert,” said Larry Cermak, head of analysis at cryptocurrency research and news website The Block. Cermak said he does not own any cryptocurrencies and has never promoted any. “They believe they can take this advice at face value even though it is often fraudulent, intentionally misleading or conflicted.”

The boxer Floyd Mayweather and the music producer DJ Khaled have been fined for unlawfully touting cryptocurrencies.

The two have agreed to pay a combined $767,500 in fines and penalties, the Securities and Exchange Commission (SEC) said in a statement on Thursday. They neither admitted nor denied the regulator’s charges.

According to the SEC, Mayweather and Khaled failed to disclose payments from three initial coin offerings (ICOs), in which new currencies are sold to investors.

The women on this boat are polished and perfect; the men, by contrast, seem strangely cured—not like medicine, but like meat. They are almost all white, between the ages of 30 and 50, and are trying very hard to have the good time they paid thousands for, while remaining professional in a scene where many thought leaders have murky pasts, a tendency to talk like YouTube conspiracy preachers, and/or the habit of appearing in magazines naked and covered in strawberries. That last is 73-year-old John McAfee, who got rich with the anti-virus software McAfee Security before jumping into cryptocurrencies. He is the man most of the acolytes here are keenest to get their picture taken with and is constantly surrounded by private security who do their best to aesthetically out-thug every Armani-suited Russian skinhead on deck. Occasionally he commandeers the grand piano in the guest lounge, and the young live-streamers clamor for the best shot. John McAfee has never been convicted of rape and murder, but—crucially—not in the same way that you or I have never been convicted of rape or murder.

On 7th December 2018 Bitcoin's "price" was around $3,700.

Bitcoin now at $16,600.00. Those of you in the old school who believe this is a bubble simply have not understood the new mathematics of the Blockchain, or you did not cared enough to try. Bubbles are mathematically impossible in this new paradigm. So are corrections and all else

Similarly, most of what your read about blockchain technology is people hyping their vaporware. A "trio of monitoring, evaluation, research, and learning, (MERL) practitioners in international development" started out enthusiastic about the potential of blockchain technology, so they did some research:

We documented 43 blockchain use-cases through internet searches, most of which were described with glowing claims like “operational costs… reduced up to 90%,” or with the assurance of “accurate and secure data capture and storage.” We found a proliferation of press releases, white papers, and persuasively written articles. However, we found no documentation or evidence of the results blockchain was purported to have achieved in these claims. We also did not find lessons learned or practical insights, as are available for other technologies in development.

We fared no better when we reached out directly to several blockchain firms, via email, phone, and in person. Not one was willing to share data on program results, MERL processes, or adaptive management for potential scale-up. Despite all the hype about how blockchain will bring unheralded transparency to processes and operations in low-trust environments, the industry is itself opaque. From this, we determined the lack of evidence supporting value claims of blockchain in the international development space is a critical gap for potential adopters.

Every time the word "price" appears here,
it has quotes around it. The reason is that there is a great deal of
evidence that the exchanges, operating an unregulated market, are
massively manipulating the exchange rate between cryptocurrencies and the US dollar. The primary mechanism is the issuance of billions of dollars of Tether,
a cryptocurrency that is claimed to be backed one-for-one by actual US
dollars in a bank account, and thus whose value should be stable. There has never been an audit to confirm this
claim, and the trading patterns in Tether are highly suspicious. Tether, and its parent exchange Bitfinex, are the subject of investigations by the CFTC and federal prosecutors:

As Bitcoin plunges, the U.S. Justice Department is investigating whether last year’s epic rally was fueled in part by manipulation, with traders driving it up with Tether -- a popular but controversial digital token.

While federal prosecutors opened a broad criminal probe into cryptocurrencies months ago, they’ve recently homed in on suspicions that a tangled web involving Bitcoin, Tether and crypto exchange Bitfinex might have been used to illegally move prices, said three people familiar with the matter.

John Lewis is an economist at the Bank of England. His The seven deadly paradoxes of cryptocurrency provides a skeptical view of the economics of cryptocurrencies that nicely complements my more technology-centric view. My comments on his post are here. Remember that a permissionless blockchain requires a cryptocurrency; if the economics don't work neither does the blockchain.

You can find my writings about blockchain over the past five years here. In particular:

The DAO was designed as a series of contracts that would raise funds
for ethereum-based projects and disperse them based on the votes of
members. An initial token offering was conducted, exchanging ethers for
"DAO tokens" that would allow stakeholders to vote on proposals,
including ones to grant funding to a particular project.

That token offering raised more than $150m worth of ether at then-current prices, distributing over 1bn DAO tokens.

[In May 2016], however, news broke that a flaw in The DAO's smart contract had been exploited, allowing the removal of more than 3m ethers.

Subsequent exploitations allowed for more funds to be removed, which ultimately triggered a 'white hat'
effort by token-holders to secure the remaining funds. That, in turn,
triggered reprisals from others seeking to exploit the same flaw.

An effort to blacklist certain addresses tied to The DAO attackers was also stymied mid-rollout after researchers identified a security vulnerability, thus forcing the hard fork option.

Blockchain company Pure Bit has seemingly walked off with $2.7 million worth of investors’ money after raising 13,000 Ethereum in an ICO. Transaction history shows that hours after moving all raised funds out of its wallet, the company proceeded to take down its website. It now returns a blank page.
...
This is the latest in a string of exit scams that took place in the blockchain space in 2018. Indeed, reports suggested exit scammers have thieved more than $100 million worth of cryptocurrency over the last two years alone. Subsequent investigations hint the actual sum of stolen cryptocurrency could be even higher.

in
Bitcoin, the weekly mining power of a single entity has never exceeded
21% of the overall power. In contrast, the top Ethereum miner has never
had less than 21% of the mining power. Moreover, the top four Bitcoin
miners have more than 53% of the average mining power. On average, 61%
of the weekly power was shared by only three Ethereum miners. These
observations suggest a slightly more centralized mining process in
Ethereum.

Although miners do change ranks over the
observation period, each spot is only contested by a few miners. In
particular, only two Bitcoin and three Ethereum miners ever held the top
rank. The same mining pool has been at the top rank for 29% of the time
in Bitcoin and 14% of the time in Ethereum. Over 50% of the mining
power has exclusively been shared by eight miners in Bitcoin and five
miners in Ethereum throughout the observed period. Even 90% of the
mining power seems to be controlled by only 16 miners in Bitcoin and
only 11 miners in Ethereum.

"Ethereum’s
smart contract ecosystem has a considerable lack of diversity. Most
contracts reuse code extensively, and there are few creators compared to
the number of overall contracts. ... the high levels of code reuse
represent a potential threat to the security and reliability. Ethereum
has been subject to high-profile bugs that have led to hard forks in the blockchain (also here) or resulted in over $170 million worth of Ether being frozen;
like with DNS’s use of multiple implementations, having multiple
implementations of core contract functionality would introduce greater
defense-in-depth to Ethereum."

P&Ds have dramatic short-term impacts on the prices and volumes of most of the
pumped tokens. In the first 70 seconds after the start of a P&D, the price increases by 25%
on average, trading volume increases 148 times, and the average 10-second absolute return
reaches 15%. A quick reversal begins 70 seconds after the start of the P&D. After an hour,
most of the initial effects disappear. ... prices of pumped tokens begin rising five minutes before a P&D
starts. The price run-up is around 5%, together with an abnormally high volume. These
results are not surprising, as pump group organizers can buy the pumped tokens in advance.
When we read related messages posted on social media, we find that some pump group
organizers offer premium memberships to allow some investors to receive pump signals before
others do. The investors who buy in advance realize great returns. Calculations suggest that
an average return can be as high as 18%, even after considering the time it may take to
unwind positions. For an average P&D, investors make one Bitcoin (about $8,000) in profit,
approximately one-third of a token’s daily trading volume. The trading volume during the
10 minutes before the pump is 13% of the total volume during the 10 minutes after the
pump. This implies that an average trade in the first 10 minutes after a pump has a 13%
chance of trading against these insiders and on average they lose more than 2% (18%*13%).

The
existence of trust-minimizing vote buying and Dark DAO primitives imply
that users of all on-chain votes are vulnerable to shackling,
manipulation, and control by plutocrats and coercive forces. This
directly implies that all on-chain voting schemes where users can
generate their own keys outside of a trusted environment inherently
degrade to plutocracy, ... Our schemes can also be repurposed to attack
proof of stake or proof of work blockchains profitably, posing severe
security implications for all blockchains.

"The reason Devcon feels so upbeat despite these storm clouds is that the people building Ethereum have something bigger in mind—something world-changing, in fact. Yet to achieve its goal, this ragtag community needs to crack a problem as complicated as any of the toe-curling technical challenges it faces: how to govern itself. It must find a way to organize a scattered global network of contributors and stakeholders without sacrificing “decentralization”—the principle, which any cryptocurrency community strives for, that no one entity or group should be in control."

"Using data gleaned from the LinkedIn Economic Graph, which serves as a “digital representation of the global economy” by analyzing the skills and job openings from across 590 million members and 30 million companies, LinkedIn found that “blockchain developers” has grown 33-fold in the past four years. In this case, “emerging jobs” refers to the growth of specific job titles on LinkedIn profiles in the period between 2014 and 2018."

"The number of verified users of cryptocurrencies almost doubled in the first three quarters of the year even as the market bellwether Bitcoin tumbled almost 80 percent, according to a study from the Cambridge Centre for Alternative Finance. Users climbed from 18 million to 35 million this year."

"As President Donald Trump threatened to allow a government shutdown if Congress did not provide funding for his proposed wall along the Mexican border, a Republican congressman from Ohio offered up alternative routes to getting the wall built: through Internet crowdfunding or through an initial coin offering....Rep. Davidson told NPR's Steve Inskeep that the donations could come from anyone and be gathered in a number of ways."You could do it with this sort of, like, crowdfunding site," Davidson explained. "Or you could do it with blockchain—you could have Wall Coins."

"Fundstrat’s Tom Lee’s 2018 forecast for $25,000 Bitcoin was reduced last month to $15,000 by year-end. (The cryptocurrency recently traded at about $3,650.) As foolish as that sounds, it was modest compared to the rest of the asylum. Michael Novogratz forecast that “$40,000 was possible by the end of 2018.” Kay Van-Petersen of Saxo Bank predicted Bitcoin would rise to $50,000 to $100,000 by the end of this year. John McAfee, the eccentric tech entrepreneur, has called for $1 million Bitcoin by 2020. Analogizing crypto to the internet, Tim Draper doubles McAfee, coming in at $2 million.

All of these are notable not just for being wrong, but for their sheer recklessness."

"Remember Basis, the “stablecoin” backed by . . . stability? Back in June we broke the news that Stanford economist, and author of the “Taylor rule”, John Taylor had joined the project. Well, it's shutting up shop.

Basis had a big idea — it wanted to marry traditional monetary theory with cryptonomics, to deliver “a stable cryptocurrency with an algorithmic central bank”. ...The ambitious proposition didn't really convince us, but it did convince many. It had some big financial backers: Silicon Valley VC heavyweights Andreessen Horowitz and Bain Capital Ventures invested, alongside billionaire hedge fund manager Stanley Druckenmiller, and Kevin Warsh, a former governor of the Federal Reserve. A total of $133m was raised (in late 2017, mid-cryptomania, we should point out).

That money is now being given back to investors, however, and Basis is closing down. The reason? Regulators appear to have told them that “bond tokens” and “share tokens” are a bit like “bonds” and “shares” and need to be treated as such."

Businessweek's cover is Rhymes with Bitcoin. After a whole year of "price" collapse, piling on is fine, although it would have been better before the massive pump-and-dump. But it is a shame that, for example, Lionel Laurent's The Messy Political Story of Bitcoin gets so much wrong, including the credulous belief that Bitcoin actually delivers the promised anonymity and decentralization.

"Yet far from ushering in a utopia, blockchain has given rise to a familiar form of economic hell. A few self-serving white men (there are hardly any women or minorities in the blockchain universe) pretending to be messiahs for the world’s impoverished, marginalized, and unbanked masses claim to have created billions of dollars of wealth out of nothing. But one need only consider the massive centralization of power among cryptocurrency “miners,” exchanges, developers, and wealth holders to see that blockchain is not about decentralization and democracy; it is about greed."

"Though McAfee had not been an early adopter of crypto, by chance he had happened to craft the perfect persona for touting it. He had both a credible claim to technical expertise and enough of a moral taint to come across as savvy. Just as candidate Trump claimed that he alone could clean up the swamp because he had decades’ experience buying off politicians, McAfee’s self-advertised misbehavior made him plausible as a guide to a marketplace awash with con artists."

"we have calculated the true volume of the CMC top 25 BTC trading pairs. Most of these pairs actual volume is under 1% of their reported volume on CMC. We noted only 2 out of the top 25 pairs not to be grossly wash trading their volume, Binance and Bitfinex."

"We identified 3,767 different pump signals advertised on Telegram and another 1,051 different pump signals advertised on Discord during a six-month period in 2018. The schemes promoted more than 300 cryptocurrencies. This comprehensive data provides the first measure of the scope of pump and dump schemes across cryptocurrencies and suggest that this phenomenon is widespread and often quite profitable. This should raise concerns among regulators. We then examine which factors that affect the “success” of the pump, as measured by the percentage increase in price near the pump signal. We find that the coin’s rank (market capitalization/volume) is the most important factor in determining the profitability of the pump: pumping obscure coins (with low volume) is much more profitable than pumping the dominant coins in the ecosystem."

"The whole point of proof-of-*whatever* is really not about "security" but preventing sybils: someone from spinning up a gazillion validators and voting themselves all the money. PoW, PoS, they all fail to do this well."

"Attackers have stolen almost $500,000 worth of the Ethereum Classic digital currency by carrying out a compute-intensive hack that rewrote its blockchain, officials with Coinbase, one of the leading crypto currency exchanges, said on Monday."

According to coinmarketcap.com, ETC is the 18th biggest cryptocurrency, with a "market cap" of $523,350,707. But that's not enough to keep it secure. Only a few of the biggest altcoins have enough mining power relative to their "price" to deter 51% attacks.

"We attempt to determine how difficult that puzzle should be so as to be effective in preventing spam. We analyse this both from an economic perspective, "how can we stop it being cost-effective to send spam", and from a security perspective, "spammers can access insecure end-user machines and will steal processing cycles to solve puzzles". Both analyses lead to similar values of puzzle difficulty. Unfortunately, real-world data from a large ISP shows that these difficulty levels would mean that significant numbers of senders of legitimate email would be unable to continue their current levels of activity. We conclude that proof-of-work will not be a solution to the problem of spam."

"As Weaver puts it, it’s “a nice illustration of how proof-of-waste schemes cannot be both efficient and secure.” The more it costs to mine a block, the more expensive it is to outspend the honest miners for long to reverse a transaction. Electricity prices vary from miner to miner, but Weaver estimates that the Bitcoin network currently runs through about $300,000 in electricity each hour, while the smaller Ethereum network runs at roughly $100,000 per hour. For Weaver, any coin much smaller than that is at risk of a 51 percent attack. Ethereum Classic clocks in at roughly $5,000 per hour."

"I feel like I am constantly reading about transaction limits for withdrawals of money from the crypto ecosystem, while I much less frequently read about transaction limits for putting money in. Similarly anti-money-laundering and know-your-customer procedures seem to constrain people from taking money out of cryptocurrencies more than they constrain people trying to put money in. It is an odd one-way ratchet."

"The Cyberspace Administration of China (CAC) will require any “entities or nodes” that provide “blockchain information services” to collect users’ real names and national ID or telephone numbers, and allow government officials to access that data.

It will ban companies from using blockchain technology to “produce, duplicate, publish, or disseminate” any content that Chinese law prohibits."

"Collectively, U.S. investors who have sold their bitcoin incurred realized losses of approximately $1.7 billion. As for those who haven’t sold yet, their unrealized losses total an approximate $5.7 billion."

"This report is based on tokens where the team controlled holding’s were worth an astonishing US$24.2 billion on issuance (in reality liquidity was too low for this value to be realized). Today this figure has fallen to around US$5 billion, with the difference primarily being caused by a fall in the market value of the tokens, alongside US$1.5 billion of transfers away from team address clusters (possibly disposals)."

"According to reports coming from CCN, a hacker is selling hacked KYC data on the dark web, data which the hacker claims to have collected from some of the cryptocurrency exchanges such as Poloniex, Binance, Bittrex and Bitfinex....The ad put up by the hacker is said to have been up and running since July 2018 and the hacked KYC data discloses personal information ranging from drivers licence, ID cards to passport data."

KYC is "Know Your Customer", part of the anti-money-laundering regulations.

Munawar Gul is a Bitcoin enthusiast. His The Fall of the Blockchain Hype Men is a diatribe against the explosion of patents littering the blockchain space, and the way big corporations are using them to defend their permissioned blockchain implementations:

"Blockchain analytics firm Chainalysis spent around three months tracking funds that had been stolen in known hacks. It was able to link much of that money to two groups, which it dubbed Alpha and Beta. If the group’s analysis is correct, then the two groups would account for 60% of all publicly reported crypto-heists."

"A cryptocurrency exchange in Canada has lost control of at least $137 million of its customers’ assets following the sudden death of its founder, who was the only person known to have access the the offline wallet that stored the digital coins. British Columbia-based QuadrigaCX is unable to access most or all of another $53 million because it’s tied up in disputes with third parties."

"The protocols that we have are not very good at scaling to large numbers of participants, they have built in forces toward centralization. In proof of work currencies, economies of scale, ability to acquire cheap electricity and access to supply chains mean that there will always be a few hardware manufacturers that dominate the mining industry. We’ve seen that Bitcoin mining tends toward centralization, and certain groups become more and more prominent. The only force aiding us is that these mining concerns operate in a competitive industry, and there’s high turnover. But right now, just a few players can easily launch 51% attacks and can censor transactions if compelled."

I was remiss in not pointing out that at the same time in 2003 as we published the LOCKSS protocol using decentralized consensus and proof of work, Vivek Vishnumurthy, Sangeeth Chandrakumar and Emin Gün Sirer published Karma, an actual cryptocurrency using decentralized consensus and proof of work. Both teams started work about the same time in 2002, so the ideas were in the air then.

"With the top 10 crypto assets down 80 percent in the last 12 months and skepticism mounting, many fintech pros concluded that the technology may not be ready for prime time, especially in an industry this heavily regulated....Perhaps nothing drove that point home more than the face-off between Gottfried Leibbrandt, the chief executive officer of Swift, and Brad Garlinghouse, the CEO of San Francisco’s Ripple Labs Inc. Swift is a 46-year-old cooperative that directs trillions of dollars in cross-border payments between thousands of banks. Garlinghouse has repeatedly vowed to leapfrog Swift’s 1970s-conceived system with a faster, cheaper blockchain-like one."

"Nobody uses Ripple Labs’ tech — Ripple’s “200+ Institutional Clients” Claim Is A Scam. “Not a single one of Ripple’s clients appears to be real, or an actual client.”...Remember how Ripple Labs claimed a “partnership” with Santander — and told the press things like “We are covering 50% of all the FX payments the Santander Group does annually,” then tweeted them from the official Ripple account? It turns out they’re talking about an iPhone app, “Santander One Pay FX,” which uses Ripple’s xCurrent. The app has 17 ratings and one review — almost nobody uses it. It turns out that “covering” means the app is available in Spain, UK, Brazil and Poland — which together contain 50% of Santander’s customers — and does not in any way mean that those customers use it."

"The market for personal loans in cryptocurrency isn’t exactly huge, so the main source of demand to borrow bitcoin comes from people who want to short it. As the demand to short bitcoin through futures grows, the futures price will trade at a wider discount to spot, and the implied bitcoin interest rate will move higher.

And this is what’s been happening since mid-November, when bitcoin prices collapsed below $6000 and never looked back. The demand to short bitcoin in the futures market increased; so the futures started trading at a bigger discount to spot; and that increased the implied bitcoin interest rate."

"five unaffiliated OTC desks all told CoinDesk there was no demand for GUSD among their trading networks. OTC traders said it appears a high percentage of perceived GUSD trading activity is concentrated on exchanges that they do not use.

“The trading volume is dictated by [Gemini’s] actions and has nothing to do with the market, per se,” said one anonymous OTC trader who has worked with GUSD.

According to CoinMarketCap, the exchanges with the highest GUSD trading volume include OEX, Hotbit, Bitrue and Fatbtc. Gemini has no direct association with these exchanges.

In particular, OEX and Fatbtc are both ranked on the Blockchain Transparency Institutes’ advisory list. The nonprofit estimated that over 98 percent of those exchanges’ activity comes from automated trades, which typically involves bots rather than real users."

"Do you need a public blockchain? The answer is almost certainly no. A blockchain probably doesn’t solve the security problems you think it solves. The security problems it solves are probably not the ones you have. (Manipulating audit data is probably not your major security risk.) A false trust in blockchain can itself be a security risk. The inefficiencies, especially in scaling, are probably not worth it. I have looked at many blockchain applications, and all of them could achieve the same security properties without using a blockchain—of course, then they wouldn’t have the cool name."

Now Bitcoin SV, one of the increasingly many forks of Staoshi's original, has raised its transaction size limit to 100KB, allowing much bigger and better content to be stored immutably in its blockchain. And, naturally, as David Canellis reports in BitcoinSV ‘feature’ exploited to store child abuse imagery on the blockchain, among the first content to take advantage of this feature is child porn:

"A change to the Bitcoin Satoshi’s Vision (BSV) protocol has inadvertently led to child exploitation material being posted to its blockchain, forcing apps and block explorers into actively monitoring the network for illegal content."

Filtering blockchains for illegal content is problematic because, as Nicholas Weaver points out in his talk for Enigma, it opens the blockchain up to a very simple and effective attack:

"In late 2017 the Bitcoin network hit a capacity limit which caused fees to enter a death spiral, so if you wanted your transaction to go through you had to outbid everyone else, This is exploitable. Someone could spam the network whenever its below the death spiral point, shutting it down at will. And when it is above, do nothing but laugh.

Keep this up until the network installs spam filters, and then the attacker starts a more interesting game: tuning spam not to get through the filters but to have the filters trigger false positives. How well would a currency work if 1-2% of transactions are randomly blocked by spam filters?

Ethereum seems a particularly ripe target, with a full blockchain of over 2TB and working sets measured in the 100s of GB. What happens if an attacker adds a 0 or two to those numbers?"

"An upset Mt. Gox creditor analyses the data from the bankruptcy trustee’s sale of bitcoins. He thinks he’s demonstrated incompetent dumping by the trustee — but actually shows that a “market cap” made of 18 million BTC can be crashed by selling 60,000 BTC, over months, at market prices, which suggests there is no market."

"In November this guesting Alphavillian wrote an article for the Financial Times about the falling price of bitcoin (what's new?). Half an hour later we received a direct Twitter message from an account saying it was a good time to invest in the cryptocurrency, which could become a “second source of income.”

They said with an investment of $300 in crypto, on trading platform Crypto365, we could earn $3,000 in five days."

"Toward the middle of 2018, attackers began springing 51% attacks on a series of relatively small, lightly traded coins including Verge, Monacoin, and Bitcoin Gold, stealing an estimated $20 million in total. In the fall, hackers stole around $100,000 using a series of attacks on a currency called Vertcoin. The hit against Ethereum Classic, which netted more than $1 million, was the first against a top-20 currency."

And bugs in "smart contracts":

"Last month, Tsankov’s team at ChainSecurity saved Ethereum from a possible repeat of the DAO catastrophe. Just a day before a major planned software upgrade, the company told Ethereum’s lead developers that it would have the unintended consequence of leaving some contracts on the blockchain newly vulnerable to the same kind of bug that led to the DAO hack. The developers promptly postponed the upgrade and will give it another go later this month."

- Slide 7 says "Participants can be anonymous" but means pseudonymous. And "Consensus mechanism prevents double-spending.–Secure- except for bugs" but ignores 51% attacks. It should say "Consensus mechanism makes double-spending costly" but in many cases now it isn't costly enough.

- Slide 14 says LOCKSS uses Byzantine Fault Tolerance, which is wrong. It uses an original consensus mechanism that is related to BFT but is statistical in nature.

"The latest group of Hacking Team war criminals to find themselves reaccepted into polite society is the staff of Neutrino, a startup acquired by the cryptocurrency company Coinbase, to do forensic tracking of blockchain transactions.

Many Coinbase users have concluded that they do not want to entrust their finances to a company that includes these unsavory characters, and so was born the #DeleteCoinbase movement to coordinate divestiture from the company.

However, Coinbase will only allow you to delete your account if it has a zero balance, free of "dust" (infinitesimal residues left behind from fractional cryptocurrency transactions) and users are finding it impossible to rid themselves of their dust, which Coinbase insists is merely an accident and nothing to do with not wanting disgruntled users to leave."

2) The US has charged the founders of OneCoin with wire fraud - there wasn't even one coin.

3) 1pool/1broker has to pay a $421,000 fine and refund their customers bitcoin even though they were based outside the US.

4) Two Australian exchanges got suspended for links to organized crime and drugs.

5) The Canada Revenue Agency is auditing Bitcoin users. Here's the 13-page questionnaire to give some idea of the answers users need to be prepared with.

6) Remember that wash trading is illegal: "Crypto Integrity found that up to 88% of reported volumes in February were artificial at some of the highest reported volume exchanges. On some less liquid trading pairs, the group estimates up to 100% of the volume is fake."